05-11-2006 06:51 PM
I m implementing a client server communication maechanism using openssl.
Here I having a server certificate but I dont have any client certificate
My question is ,if some third party writes ssl client program using open ssl and if he connect to my server port my server will accept the connection or not ?
I guess the server will accept the request since it dont have a any mechanism to validate the client certificate .
How can i prevent this from happeneing ?
Can I implement some challenge -response mechanism ?
Is there any algorithm for this in C++??
05-11-2006 08:49 PM
OpenSSL provides variety of mechanism to handle this, Check http://www.openssl.org/docs/ for more information. Also, googling your questions should shed some lights.
05-11-2006 08:51 PM
This is just the first step: the client cannot make any requests before the SSL connection is established. When the client makes a request over that SSL connection, your server should be able to decide whether to accept it or not.
You can accept the connection (to see what the client is asking) but accepting the request should be a completely separate thing. After all, the request could be malformed, maybe even intentionally malformed to attempt an overflow attack to your server.
The client might also request something the server cannot deliver.
You need some way to recognize which clients are authorized and which are not. There are many possible methods: the designer of the software should choose an appropriate method (or several possible methods). Without knowing anything from your project it is impossible to make this choice.
Since you now have a secure SSL connection between your server and the unknown client, even a simple password authentication might be acceptable. If your server might be used with unsecured connections too, a challenge-response mechanism might be better.
A challenge-response mechanism needs to be integrated in the protocol between your client and server, so a generic algorithm would not be very useful. Basically, the challenge-response mechanism means something like this:
1.) The server and the client both know something (a shared secret). The server and client must also both have the same secure hash algorithm (MD5, SHA1...) available. The shared secret might be different for each client, so the client must tell the server who the client claims to be.
2.) The server creates a challenge, sends it to the client and stores a copy of the challenge to memory.
The challenge can be a string of random numbers, a timestamp or anything: the server *must not* use the same challenge twice (to prevent replay attacks).
3a) The client combines the challenge and the shared secret, then creates a hash from the combination using the secure hash algorithm. This is the client's response.
3b) The server makes the same operation using the stored copy of the challenge and the shared secret belonging to this client. This is the expected response.
4.) When the server receives the client's response, it is compared with the expected response. If they match, the client apparently knows the shared secret and so the server can be confident the client is whoever he claims to be.
It would be wise to make the choice of the hash algorithm configurable, and allow the use of any hash algorithm known to openssl (except ones known to be insecure). MD5 and SHA1 both have some known weaknesses, and it might be necessary to switch to some other algorithm in the future. It would be great if your program could use new algorithms that may become available in the future versions of openssl by simply using a newer
05-11-2006 09:11 PM
Since you now have a secure SSL connection between your server and the unknown client, even a simple password authentication might be acceptable. If your server might be used with unsecured connections too, a challenge-response mechanism might be better. "
I dont want the server to used with unsecured connection
SO i suppose the first method which you have described whould be good enough .
Can you please give me some hints as to how to do this
05-16-2006 03:01 AM
If I m going to go for a client certificate,
Is it necessary that both e client and server should use the same key and certificate?
I tried with both client and server using a different set of key â certificate .In tht case it was givg me error â ¦
Only when both client and server were using same set of key certificate it was working..
If that is the case ( ie if both client =server should use same key and certificate ) then we need not do any challenge response rit?